The number and variety of threats to computing systems are constantly growing. So, too, are the number and variety of legitimate applications. Security software vendors who wish to protect their customers from the latest threats may analyze a large number of applications in order to determine which applications are benign and which are malicious. Security software vendors often simulate popular computing environments using virtual machines in an attempt to analyze potential malware without expending large amounts of physical resources to analyze each application on physical computing environments.
Unfortunately, malware authors may be aware of this technique and may design their malware to act differently on virtual computing environments in order to avoid detection. Traditional systems for analyzing potential malware on virtual machines may be unable to detect malware that changes its behavior based on the computing environment. Some traditional systems may attempt to feed potential malware false information about the type of environment on which the malware is being hosted, but the malware may still accurately determine that it is being hosted on a virtual computing environment and act accordingly to avoid detection. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for categorizing virtual-machine-aware (VM-aware) applications for further analysis.